September 07, 2017
Using WinRM Through Meterpreter
Written by
TrustedSec
Penetration Testing
Security Testing & Analysis
Windows Remote Management (WinRM) is Microsoft’s implementation of the WS-Management (WSMan) protocol, which is used for exchanging management data between machines that support it. WSMan, in the case of Windows, supplies this data from WMI and transmits them in the form of SOAP messages. More info here. Why is any of this important to you?
Well, say you have a high-context shell on a single system and known good administrative creds to other systems, but you are afraid to use traditional lateral movement techniques (such as Metasploit’s PSExec or Empire’s invoke_wmi) as you suspect you will get busted by their shiny new $NextGenAV. More and more AVs are catching previously hard-to-detect techniques as well as commands that rely fundamentally on an encoded PowerShell command (powershell.exe -enc...).
WinRM to the rescue! For some great background reading have a look at Rapid7's article on WinRM, then bookmark NetSPI's article, which is the de facto cheatsheet for WinRM commands.
So why another article on WinRM?
This article is about the practical outworking of WinRM via a single meterpreter session (much of this carries over into any other exploit kit that you can achieve an interactive shell with). Metasploit modules like auxiliary/scanner/winrm/winrm_cmd are great, but they just sent the POST request to WSMan, and don't do any of the pre-work necessary to get WinRM configured on the client or target systems. Additionally, you will be more effective as a pentester if you understand what your tools are doing and how the underlying technology works. You will also be in a better position to think on the fly and troubleshoot when things don’t work. =)
So, to summarize:
Goals
- Execute code on a target domain-joined Windows system in a stealthy(er) way
- You have a working meterpreter payload that won't get flagged by AV
- You are in a high-context shell
- You have administrative credentials to your target
- You have the necessary routing to the target setup via your session
- You see WinRM open on your target (tcp: 5985 (HTTP) or 5986 (HTTPS))
- Set up a PowerShell credential object using our password for LAB\Bill-DA.
- Attempt to connect to the WSMan instance on our remote target.
- Display the available WSMan containers after our connection attempt. If everything goes well, we should see an instance for our target machine: